safe_htmlentities()

outlabl · February 2011

I'm having some issues with safe_htmlentities(). Judging by your notes in the function you know what I'm talking about: re-encoding the entitie's ampersand.

The server my site is on is using PHP 5.1.6. On which htmlentities() only accepts 3 parameters. That seems to be the main issue.

I'm going to try to get the PHP version updated. Are there any solutions until that happens or if the host won't do it?

outlabl · February 2011

Might the PHP version stop the MarkItUp image browser from displaying any data?

admin · February 2011

I'll look into the htmlentities issue to see if there is a fix I can make to that function. With regards to the MarkItUp image browser, the PHP version shouldn't cause any problems that I know of. What are you experiencing (e.g. an empty dropdown list of images, no images previewing...etc)?

outlabl · February 2011

An empty dropdown list.

Works locally and on my server. Nothing on the client's server, though.

admin · February 2011

What kind of server is it? Is it perhaps a windows box? Also, make sure to make the folders writable or they won't show up.

admin · February 2011

With regards to the htmlentities, I've been looking at it a little closer and I discovered a couple issues with it in which I think I have some fixes for locally and will include them in the upcoming 0.92 branch release that will hopefully be pretty soon. In particular, your issue with re-encoding the ampersand.

outlabl · February 2011

The server is a Linux box and the folders are, indeed, writable.

Looking forward to the htmlentities fix.

admin · February 2011

With the safe_htmlentities issue, I think there are actually 2 things that are going on. First, the Form::prep() method wasn't properly encoding those values for when they are being displayed in the form fields. The send part was that they are getting set to be translattd by the model because of the auto_encode_entities property being set to TRUE by default (you can set it to only encode on certain columns):
http://www.getfuelcms.com/user_guide/libraries/my_model

I've pasted those changes below if you want to make them locally, so you don't have to wait (and can test out too on your end :-):

In the fuel/application/Form.php class, replace the prep() method with the following:


public static function prep($str, $double_encode = TRUE)
	{
		$str = (string) $str;
		
		if ($double_encode)
		{
			$str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
		}
		
		// Do not encode existing HTML entities
		// From PHP 5.2.3 this functionality is built-in, otherwise use a regex
		if (version_compare(PHP_VERSION, '5.2.3', '>='))
		{
			$str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8', FALSE);
		}
		else
		{
			$str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str);
			$str = str_replace(array('<', '>', '\'', '"'), array('&lt;', '&gt;', '&#39;', '&quot;'), $str);
		}
		return $str;
	}

In the MY_string_helper functions, replace safe_htmlentities with the following:


function safe_htmlentities($str, $protect_amp = TRUE)
{
	// convert all hex single quotes to numeric ... 
	// this was due to an issue we saw with htmlentities still encoding it's ampersand again'... 
	// but was inconsistent across different environments and versions... not sure the issue
	// may need to look into other hex characters
	$str = str_replace('&#x27;', '&#39;', $str);
	
	// setup temp markers for existing encoded tag brackets existing 
	$find = array('&lt;','&gt;');
	$replace = array('__TEMP_LT__','__TEMP_GT__');
	$str = str_replace($find,$replace, $str);
	
	// encode just &
	if ($protect_amp)
	{
		$str = preg_replace('/&(?![a-z#]+;)/i', '__TEMP_AMP__', $str);
	}

	// safely translate now
	if (version_compare(PHP_VERSION, '5.2.3', '>='))
	{
		$str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8', FALSE);
	}
	else
	{
		$str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str);
		$str = str_replace(array('<', '>'), array('&lt;', '&gt;'), $str);
	}
	
	// translate everything back
	$str = str_replace($find, array('<','>'), $str);
	$str = str_replace($replace, $find, $str);
	if ($protect_amp)
	{
		$str = str_replace('__TEMP_AMP__', '&', $str);
	}
	return $str;
}

admin · February 2011

With regards to the image preview issue, could you echo out the $assets_path value on line 66 of the fuel/modules/fuel/models/assets_model.php to see what the value is there?

outlabl · February 2011

I've got:
/vservers/migrationbre/htdocs/assets/images/

Which is correct (I was wondering if it was a path issue, myself).

Folder and file permissions are set to 777.

admin · February 2011

Is there anything being returned by the next line with the call to the get_dir_file_info()? And then further down, if anything is being returned in the $return array?

Also, if you have IRC, I'm at irc.freenode.net in the fuelcms room (first time doing this for FUEL... so hopefully it works).

outlabl · February 2011

I got a large array for:

$tmpfiles
$files

But $return is empty. Which, obviously, is the problem.

Also, I am in the IRC room. Connected just fine with Colloquy but Adium wouldn't find it.

outlabl · February 2011

$return is empty after:

$return = array_slice($return, $offset, $limit);

$offset = 0
$limit is not set

admin · February 2011

For others, there seems to be an issue with array_slice on line 102 with an empty $limit value. The solution was to change it to this:
$return = (empty($limit)) ? array_slice($return, $offset) : array_slice($return, $offset, $limit);

Seems to be an issue with php 5.16
http://stackoverflow.com/questions/4321416/php-array-slice-null-length-results-in-empty-array

rwestergren · September 2011

I came across this thread when looking into an issue with displaying double quotes in a normal input field. In the prep function, shouldn't the correct line be:


$str = htmlspecialchars($str, ENT_QUOTES, 'UTF-8', FALSE);

This will then correctly escape quotes and allow editing of those fields.

admin · September 2011

Which line are you referring too?

rwestergren · September 2011

In the fuel/application/libraries/Form.php, line 431

admin · September 2011

$double_encode (not double quotes) is the 4th parameter and by default is set to TRUE for the htmlspecialchars function. That parameter is the second parameter in the prep() method.

rwestergren · September 2011

This function does not properly escape/prepare text containing double quotes for editing in a standard input element of a form.


	public static function prep($str, $double_encode = TRUE)
	{
		$str = (string) $str;
		
		if ($double_encode)
		{
			$str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8');
		}
		
		// Do not encode existing HTML entities
		// From PHP 5.2.3 this functionality is built-in, otherwise use a regex
		if (version_compare(PHP_VERSION, '5.2.3', '>='))
		{
			$str = htmlspecialchars($str, ENT_NOQUOTES, 'UTF-8', FALSE);
		}
		else
		{
			$str = preg_replace('/&(?!(?:#\d++|[a-z]++);)/ui', '&amp;', $str);
			//$str = str_replace(array('<', '>', '\'', '"'), array('&lt;', '&gt;', '&#39;', '&quot;'), $str);
			$str = str_replace(array('<', '>'), array('&lt;', '&gt;'), $str);
		}
		return $str;
	}

I was able to make this work by changing ENT_NOQUOTES to ENT_QUOTES.

admin · September 2011

That appears to be from an older version. That function has been changed already in the master branch.

Howdy, Stranger!

Categories

safe_htmlentities()

Comments